malwarewikiaorg-20200223-history
CMOSDead
Virus.DOS.CMOSDead is an extremely dangerous memory resident encrypted virus on DOS. There are 5 variants having 2 different aliases: *Virus.DOS.CMOSDead.4792 *Virus.DOS.CMOSDead.5154 *Virus.DOS.ILoveDos.3618 *Virus.DOS.ILoveDos.3622 *Virus.DOS.ILoveDos.3710 Behavior When the virus is loaded into memory, it hooks INT 21h to infect any executable that is run by writing itself to the end of the file. The virus does not infect files that are smaller than or equal to 4,000 bytes. On infection, the virus places the first 32 bytes of the original code to the end of the viral code, and places its own code into there. It also places the value of offset of the viral code (or the original size of the host) at the end of the file, having a size of 4 bytes. For example, the size of the host is 10,000 (or 2710h) bytes, then the data of these bytes would be: 10 27 00 00 The virus behaves stealthily so that there is no observable file size increase on infected programs. The user will unable to find the infection code within the file even using "type" to show contents, if the user attempts to copy an infected file, the virus disinfects the new one before placing it to the new distinction, but still detectable by comparing the checksums. CMOSDead.4792 and 5154 These variants search and infect an uninfected COMMAND.COM when an infected program is run, and the system may fail to recognize the infected COMMAND on next start due to the modification of the file head. ILoveDos.3618, 3622 and 3710 These variants may change the year value of the timestamp on infection if the file is last modified after 2000. For files having the timestamp ranging from 2000 to 2007, the virus modify it to 1999 on infection. However on file listing, their timestamp remains unchanged as long as the virus stays memory resident. For those having the timestamp on or after 2008, the virus would modify it by rolling back 28 years on infection, but it would be unable to hide its infection size from these files. Here is an example for better understanding, using ILoveDos.3618. Before infection: FILE1.COM 5,000 2-1-1997 FILE2.COM 5,000 2-1-2001 FILE3.COM 5,000 2-1-2006 FILE4.COM 5,000 2-1-2008 FILE5.COM 5,000 2-1-2010 After infection (virus not in memory): FILE1.COM 8,618 2-1-1997 FILE2.COM 8,618 2-1-1999 FILE3.COM 8,618 2-1-1999 FILE4.COM 8,618 2-1-1980 FILE5.COM 8,618 2-1-1982 After infection (virus stays in memory): FILE1.COM 5,000 2-1-1997 FILE2.COM 5,000 2-1-2001 FILE3.COM 5,000 2-1-2006 FILE4.COM 8,618 2-1-1980 FILE5.COM 8,618 2-1-1982 Advanced details The following table shows the memory usage of the variants. MD5 hash: Payload The virus contains two payloads. Anti-debugging ILoveDos variants do not feature this payload. If the user tries to debug an infected file by running it (command P), after a number of processes it clears the screen and displays the following at the center of the screen: BE CAREFUL ! It also hangs the system, and disables the keyboard input. Data corruption Depend on the system date, the virus activates at random. When activated, it displays a flashing ASCII art of words, "CMOS" at the top of the screen and "DEAD" at the bottom of the screen in red. A phrase is also displayed at the center, with random frequency of beeps. While running this payload on processor speeds contemporary with the time the virus was coded results in a fairly standard series of beeps, running it at faster processor speeds results in the sound being 'replaced' with that of an unusual and frightening noise which has been described as 'screeching' or 'shrieking' in tone, caused by the same sequence being played at a faster rate. CMOSDead.4792 displays the following: GRISOFT© SOFTWARE 1989,96 CMOSDead.5154 displays the following: Your computer will be need a psychiatrist... During this visually frightening payload, the virus corrupts the data in CMOS; the user must set them again on next boot. After the payload has been triggered, when the user attempts to restart the computer by pressing CTRL-ALT-DEL, the virus would also format the hard drive. Other details The audible output of the payload has no delay parameter set, so the beeping speed depends on the CPU clock rate. When the payload of the virus is being run on a slow computer, it will show its "true sound" it was meant for, but on an overclocked environment of DOS such as Virtual PC, the payload would become extremely loud, so it is recommended to lower the system volume before testing the sample if attempting on a faster computer. The virus contains the encrypted internal text strings: IOSYS COMSPEC= EXECOM I love MS-DOS ! References #List of variants of the CMOSDead virus on VX Heaven #List of variants of the ILoveDos virus on VX Heaven Videos zh:CMOSDead Category:DOS virus Category:Virus Category:DOS Category:TSR Category:Encrypted virus